Recurrent neural networks for malware analysis

What is claimed is: 1. A computer-implemented method comprising: receiving or accessing executable code comprising instructions; disassembling the executable code to generate a trace of the instructions; applying a recurrent neural network (RNN) to the trace to generate a hidden state corresponding to each instruction to form a feature vector; generating a concatenation of the feature vector with hand-engineered features extracted from the executable code; determining, using a classifier and the concatenation, a likelihood that the executable code comprises malicious code; and disallowing, based on the determining, the code from executing; wherein the classifier is different from the RNN. 2. The method of claim 1 , wherein the applying further comprises: dividing the trace into a plurality of regions; determining an entropy of each of the plurality of regions; and ignoring each region with a low entropy. 3. The method of claim 1 , wherein the disassembling further comprises: determining an entry point of the executable code; and generating a time-based trace of the instructions based on the entry point. 4. The method of claim 1 , wherein an input to the RNN is set to a fixed length of 4 or 8 bytes per instruction. 5. The method of claim 1 , wherein an instruction set of the executable code comprises an x86 instruction set. 6. The method of claim 1 , wherein the RNN is at least one of an Elman network, a long short-term memory network, a clockwork RNN, or an echo-state network. 7. The method of claim 1 , wherein applying the recurrent neural network further comprises applying backpropagation through time (BPTT). 8. The method of claim 1 , wherein applying the recurrent neural network further comprises deobfuscating or decompressing the trace. 9. A system comprising: one or more data processors having memory storing instructions, which when executed result in operations comprising: receiving or accessing executable code comprising instructions; disassembling the executable code to generate a trace of the instructions; applying a recurrent neural network (RNN) to the trace to generate a hidden state corresponding to each instruction to form a feature vector; generating a concatenation of the feature vector with hand-engineered features extracted from the executable code; determining, using a classifier and the concatenation, a likelihood that the executable code comprises malicious code; and disallowing, based on the determining, the code from executing; wherein the classifier is different from the RNN. 10. The system of claim 9 , wherein the applying further comprises: dividing the trace into a plurality of regions; determining an entropy of each of the plurality of regions; and ignoring each region with a low entropy. 11. The system of claim 9 , wherein the disassembling further comprises: determining an entry point of the executable code; and generating a time-based trace of the instructions based on the entry point. 12. The system of claim 9 , wherein an input to the RNN is set to a fixed length of 4 or 8 bytes per instruction. 13. The system of claim 9 , wherein an instruction set of the executable code comprises an x86 instruction set. 14. The system of claim 9 , wherein the RNN is at least one of an Elman network, a long short-term memory network, a clockwork RNN, or an echo-state network. 15. The system of claim 9 , wherein applying the recurrent neural network further comprises applying backpropagation through time (BPTT). 16. The system of claim 9 , wherein applying the recurrent neural network further comprises deobfuscating or decompressing the trace. 17. A non-transitory computer readable storage medium storing one or more programs configured to be executed by one or more data processors, the one or more programs comprising instructions, the instructions comprising: receiving executable code; disassembling the executable code; generating a hidden state for each of a plurality of instructions by applying a recurrent neural network (RNN) to the disassembled executable code to generate a feature vector; and determining, using a classifier, a likelihood that the executable code comprises malicious code based on the feature vector; wherein the classifier is different from the RNN. 18. The non-transitory computer readable storage medium of claim 17 , wherein the applying further comprises: dividing the trace into a plurality of regions; determining an entropy of each of the plurality of regions; and ignoring each region with a low entropy. 19. The non-transitory computer readable storage medium of claim 17 , wherein the disassembling further comprises: determining an entry point of the executable code; and generating a time-based trace of the instructions based on the entry point. 20. The non-transitory computer readable storage medium of claim 17 , wherein applying the recurrent neural network further comprises deobfuscating or decompressing the trace.